K3s on RHEL/CentOS/Oracle Linux

firewalld/fapolicyd

It is recommended to disable and :

systemctl disable firewalld --now
systemctl disable fapolicyd.service

nm-cloud-setup

If enabled, it is required to disable nm-cloud-setup and reboot the node:

systemctl disable nm-cloud-setup.service nm-cloud-setup.timer
reboot

make sure noexec is not used for dedicated rancher partition

If you are using a dedicated partition (/var/lib/rancher) to run K3s make sure to NOT have mounted it using noexec flag inside /etc/fstab file.

disable fips mode

If you have enabled is necessary to disable it otherwise some of our workloads running in K3s will crash at startup. To check if FIPS is enabled run:

sysctl crypto.fips_enabled

In order to disable, please refer to the instruction below:

fips-mode-setup --disable

iptables

RHEL like systems have buggy version of iptables 1.8.4 which is causing issues with firewall, service routing and external network reachability as well as performance issues. It is required to configure k3s to use bundled version by modifying k3s service( same for k3s-agent service on worker nodes in HA deployments) file and adding --prefer-bundled-bin option to service’s cmd and restarting service.

~$ cat  /etc/systemd/system/k3s.service
ExecStart=/usr/local/bin/k3s \
    server \
	'--node-name=local-01' \
	'--prefer-bundled-bin' \
~$ sudo systemctl daemon-reload
~$ sudo systemctl stop k3s
~$ sudo systemctl start k3s
~$

If this change is done on existing system reboot is recommended to clear duplicate iptables rules.

~$ sudo reboot